On Dec 23, 2007 1:25 PM, Bruce Momjian <[EMAIL PROTECTED]> wrote: > I have written documentation for this item: > > http://momjian.us/tmp/pgsql/server-shutdown.html#SERVER-SPOOFING > > Comments?
I thought the content made sense, but the location didn't. I wouldn't expect to find instructions on configuring Postgres for secure operation under a section about how to shut the server down. I realise that in order for the exploit to occur, the server must be shut down (or not yet started), but unless a user already knows about the way the exploit works, how will they know to look for info about it here? IMO by putting this guidance under "Shutting Down" you're going to hurt the chances of anyone stumbling across it. I doubt you'd get many users reading "Shutting Down" at all because in most cases, it's an easy or obvious thing to do (initscripts provided by package and pg_ctl are self-explanatory). Regards, BJ ---------------------------(end of broadcast)--------------------------- TIP 7: You can help support the PostgreSQL project by donating at http://www.postgresql.org/about/donate